Is it possible to add new Layer 7 rules?

Is it possible to add new Layer 7 Rules for QoS?

In theory, yes. They are in /etc/l7-protocols/protocols and you can add more.

They are all regular expressions and plenty of them are of poor quality or for protocols that nobody is using any more.

What would be your need for this?

I think it would be nice if we could make one for Zoom/Teams or Netflix (DASH). There are a lot of new services out there that don’t use specific (identifiable) ports, and can’t be classified easily. Netflix hogging bandwidth is a big problem now during covid-19, even within individual homes.

nDPI could be an option?

True, but I am not sure whether you will be able to identify this looking at the packets. You will probably see a very simple TLS connection and that is it.

What would work though is checking from which AS the traffic is coming and filter or de-prioritise that. We have plans for that because we are building a replacement for the GeoIP database and that would also include AS information.

However, we are busy with plenty of projects now, so that this is merely a side-thing for the moment. If someone is interested in helping us out, please don’t hesitate :slight_smile:

1 Like

Ok thats much harder then i tought it would be. It would be really nice if Domain Names could be used for Source/Destination.

@ms Another Question for you. Should ECN be enabled for QoS (on the client)?

I would say yes. We usually have it enabled on IPFire.

Ok, so I guess 7 protocols won’t help much here. That nDPI thing looks interesting, has anyone here tried it before? I’d have to do a lot of research if I were to try to use it… also I’m not sure how to integrate it into ipfire, although I found this

Also, what did AS stand for? Is that like a database of IP’s used by companies?


Also, what did AS stand for? Is that like a database of IP’s used by companies?

AS stands for “Autonomous System”. You can see it that way, although it is more related
to public routing via BGP.

Thanks, and best regards,
Peter Müller

I don’t think nDPI looks good. It is very messy code which might have plenty of holes - you are operating inside the kernel here. And last time I checked it was unmaintained. There are plenty of forks out there, but they are all dead for years AFAIK.